Lenovo admits installing man-in-the-middle adware

Lenovo has admitted to installing adware on its consumer-centric systems which performs man-in-the-middle attacks on SSL/TLS-encrypted web traffic in order to inject advertising.

Chinese electronics giant Lenovo, which acquired the personal computing business of IBM back in 2005 along with the ThinkPad brand, has admitted to preinstalling a software package dubbed Superfish on selected product ranges. The software includes a browser add-on known as the Superfish Visual Discovery tool, which injects advertising into pages in order to generate revenue for Lenovo above and beyond the cash it receives from the consumer;s purchase of the machine.

'Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually,' Lenovo's official response to consumer complaints reads. 'The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.'

While Lenovo claims that the Superfish software is 'purely based on contextual/image [matching] and not behavioural [tracking],' and that it doesn't monitor or profile user behaviour, users are aggrieved that the software includes the installation of a fraudulent trusted certificate authority (CA) into the browser which allows it to act as a man-in-the-middle (MITM) in encrypted connections. The result: Superfish can invisibly hijack SSL/TLS-encrypted connections, analysing the supposedly-secure datastream in order to inject its own advertising - or, if the controlling company should decide to break a few more laws, to send private data back to headquarters.

The security implications are serious enough that browser developers including Firefox creator Mozilla are calling for the certificates to be blacklisted, but Lenovo has indicated that it has no intention of stopping using Superfish in the long term - despite reports that its behaviour can break numerous web-connected applications. 'Due to some issues (browser pop up behaviour for example) with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,' the company told consumers. 'As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.'

While any update from Superfish should help address the reported issues of crashing applications, it is unlikely to do much to reassure consumers that Lenovo takes their privacy or security seriously.

UPDATE:
Additional details regarding the fraudulent certificate authority installed by Superfish have emerged following this report. The first worrying detail is that the certificate remains installed in the system's browsers even if Superfish itself is uninstalled; the second is that the certificates stored on the system include the CA's private key. This means that the Superfish key can be used to sign any website or code and have it implicitly trusted by any system which had Superfish installed at any time, meaning any Lenovo consumer system - a fact proven by the spreading of fraudulent certificates signed by the key on social media today. This, to put things mildly, is a major security concern, and one Lenovo will likely find itself addressing in a court should consumers have their systems hijacked or data stolen as a result of the company's dealings with Superfish.

UPDATE 2:
Lenovo has now issued a longer formal statement on the matter. 'Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping,' the company claims. 'However, user feedback was not positive, and we responded quickly and decisively: Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market; Lenovo stopped preloading the software in January; We will not preload this software in the future.'

The company further claims that it has 'thoroughly investigated this technology and do not find any evidence to substantiate security concerns,' despite the private key having been decrypted and used to sign fraudulent certificates for Lenovo's own website.